New Research Report Reveals Trends and Tactics Used in Ransomware Demands

Analysis of the psychology behind digital ransom notes, commissioned by SentinelOne, sheds light on the range of social engineering tactics used by cyber attackers


PALO ALTO, Calif. & LONDON—July 21, 2017SentinelOne, the company transforming endpoint protection by delivering unified, multi-layer protection driven by machine learning and intelligent automation, has commissioned a new report examining ransomware ‘splash screens’ – the initial warning screens of ransomware attacks.

The report “Exploring the Psychological Mechanisms used in Ransomware Splash Screens by Dr. Lee Hadlington PhD,1 senior lecturer of cyberpsychology at De Montfort University, Leicester, reveals how social engineering tactics are used by cyber criminals to manipulate and elicit payments from individuals. It provides analysis of the language, visuals and payment types from 76 splash screens, to highlight how key social engineering techniques – fear, authority, scarcity (or urgency) and humour – are exploited by cyber criminals in ransomware attacks.

The report also examines the differing levels of sophistication on the part of the attackers and comes in the wake of recent global ransomware attacks which have struck both public sector and private organisations, causing massive disruption and costing businesses millions2 in lost revenue.

From the analysis of the splash screen samples, common trends highlighted include:

  • Time criticality: In over half the samples (57%), the ‘ticking clock’ device – in which a specific amount of time is given to pay a ransom – was used to create a sense of urgency and to persuade the victim to pay quickly. Deadlines given ranged from 10 hours to more than 96 hours.
  • Consequences: The most likely consequence given for not paying the demand or missing the deadline was that files would be deleted and the victim would not be able to access them. In other screens, threats were made to publish the locked files on the Internet.
  • The Customer Service Approach: 51% of splash screens included some aspect of customer service, such as instructions on how to buy Bitcoins (BTC) or presenting frequently asked questions (FAQs). One example offers victims the chance to ‘speak to a member of the team’.
  • Imagery: The research also examines the use of a variety of imagery, including official trademarks or emblems, such as the crest of the FBI, which instil the notion of authority and credibility to the request. One of the most prominent pop cultural images used was ‘Jigsaw’ – a character from the Saw horror movie series.
  • Payment: BTC was the preferred mechanism for payment; 75% of ransomware splash screens asked for payment in BTC. Over half the sample (55%) contained the ransom demand in the initial splash screen. The average amount asked for by attackers was 0.47 BTC ($1,164 USD).

“We know that psychology plays a significant part in cyber crime – what’s been most interesting from this study is uncovering the various ways that key social engineering techniques are used to intimidate or influence victims” said Hadlington. “With ransomware on the rise, it’s important that we improve our understanding of this aspect of the attack and how language, imagery and other aspects of the initial ransom demand are used to coerce victims.”

“Although ransomware has leapt to the top of the public’s consciousness following recent attacks, what’s been less well documented is exactly how the criminals are manipulating their targets into paying up,” said Tony Rowan, chief security consultant at SentinelOne. “This report sheds light on the most common tactics used, with the aim that, through awareness, we are better placed to advise individuals and businesses how not to be duped by these criminals’ claims.”

A copy of the full “Psychology of Digital Ransom Notes” report is available for download here.


Notes for Editors

  1. Dr. Lee Hadlington PhD FHEA CPsychol AFBPsS, Senior Lecturer in Cyberpsychology and Chartered Psychologist, Psychology and Technology Research Group. De Monfort University, Leicester


About SentinelOne

SentinelOne is shaping the future of endpoint security with an integrated platform that unifies the detection, prevention and remediation of threats initiated by nation states, terrorists, and organized crime. SentinelOne’s unique approach is based on deep inspection of all system processes combined with innovative machine learning to quickly isolate malicious behaviors, protecting devices against advanced, targeted threats in real time. SentinelOne was formed by an elite team of cyber security and defense experts from IBM, Intel, Check Point Software Technologies, McAfee, and Palo Alto Networks. To learn more visit or follow us at @SentinelSec.


UK Media Contact:

Kirsten Scott, Kelly Friend or Barry Salmon
éclat Marketing
01276 486000
[email protected]